I've heard that there are attacks that can get passwords out of RAM while turned on.

If a server, CentOS 7.5 and LUKS enabled, it's tty1 locked, which is on a VMWare hypervisor that is locked with a password, is gained access by government agencies while functioning/turned on, can government agencies unlock this server's virtual hard drive and read contents out of it?

1 Answer
1

Absolutely. LUKS (and other disk encryption utilities) only provide data-at-rest security. That is, the only way to access the raw data itself when the system is powered off is by knowing the encryption password. When the system is on, however, there are a number of ways to retrieve the disk encryption keys. These do not require government-level resources to pull off:

Cold boot - A cold boot attack involves shutting the machine off suddenly and putting the memory chips into another motherboard, then reading out their contents. This works because data in memory persists for a short period after the power has been cut (a longer period if they are chilled to a very low temperature). The encryption keys, or at least data that can be used to reconstruct the encryption keys, will be present in RAM. This attack is more effective for older DDR2 memory, but is absolutely possible with the newer DDR3 and DDR4.

DMA - A DMA (Direct Memory Access) attack is one where a device is plugged into the computer that can become bus master. This includes Firewire and Thunderbolt connections, as well as PCIe cards. When these are plugged in, the operating system will often grant them full access to memory, allowing them to directly read from and write to memory without the CPU's further involvement. While newer systems with IOMMU hardware may not be quite as vulnerable to this, it is still a favorite technique of law enforcement.

JTAG - There is a debugging protocol that can be used to take complete control of a CPU called JTAG. When you plug in a JTAG probe to a special header on the motherboard, you can halt processor state, read and write to registers and memory addresses, initiate IO, and more. Essentially all x86 processors support JTAG, and there is no way to disable it in software. The only reason this technique is not used more is because the above are usually more effective and a lot cheaper, but it can still be used as a tool of last resort.

IPMI - Some servers will have IPMI enabled, which allows remote access to anyone with a password. When IPMI is active in a datacenter, the password is typically known to the datacenter, and law enforcement can trivially demand access. Unless you are using a colocated server that you have physical control over, IPMI is likely supported and in use.